Update to 1.4.6. Fixes rhbz#1574091

2021-12-03 12:35:13 -08:00 · 2021-12-03 12:35:13 -08:00 · 05dd5ff7f7
commit 05dd5ff7f7
parent 9ffebb5d24
7 changed files with 7 additions and 4024 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@ conntrack-tools-0.9.14.tar.bz2
 /conntrack-tools-1.4.3.tar.bz2
 /conntrack-tools-1.4.4.tar.bz2
 /conntrack-tools-1.4.5.tar.bz2
 /conntrack-tools-1.4.6.tar.bz2
--- a/conntrack-tools-1.4.4-free-pktb-after-use.patch
+++ b/conntrack-tools-1.4.4-free-pktb-after-use.patch
@ -1,29 +0,0 @@
 From 832166dc4780e259424ebab07b42ecf42cde6fe3 Mon Sep 17 00:00:00 2001
 From: Kevin Cernekee <cernekee@chromium.org>
 Date: Fri, 27 Jan 2017 12:38:46 -0800
 Subject: conntrackd: cthelper: Free pktb after use
 According to valgrind, this currently leaks ~512B to 2kB for each
 packet sent to the userspace helper.
 Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/cthelper.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/cthelper.c b/src/cthelper.c
 index 54eb830..f01c509 100644
 --- a/src/cthelper.c
 +++ b/src/cthelper.c
@@ -325,6 +325,7 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
 	if (pkt_verdict_issue(helper, myct, queue_num, id, verdict, pktb) < 0)
 		goto err4;
 +	pktb_free(pktb);
 	nfct_destroy(ct);
 	if (myct->exp != NULL)
 		nfexp_destroy(myct->exp);
 -- 
 cgit v0.12
--- a/conntrack-tools-1.4.4-nat_tuple-leak.patch
+++ b/conntrack-tools-1.4.4-nat_tuple-leak.patch
@ -1,57 +0,0 @@
 From 1ba5e76a368aeb9fe17d3b691df4faa0dadc4523 Mon Sep 17 00:00:00 2001
 From: Kevin Cernekee <cernekee@chromium.org>
 Date: Thu, 26 Jan 2017 16:44:24 -0800
 Subject: conntrackd: cthelper: Don't leak nat_tuple
 nfexp_set_attr() copies |nat_tuple| rather than taking ownership, so
 it should be freed at the end of the loop.  Some of the other helpers
 (like rpc.c) do this, but it is missing here.
 Reported-by: Eric Caruso <ejcaruso@chromium.org>
 Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/helpers/amanda.c | 1 +
 src/helpers/ftp.c    | 1 +
 src/helpers/tftp.c   | 1 +
 3 files changed, 3 insertions(+)
 diff --git a/src/helpers/amanda.c b/src/helpers/amanda.c
 index 9e6c4e7..faee1cd 100644
 --- a/src/helpers/amanda.c
 +++ b/src/helpers/amanda.c
@@ -75,6 +75,7 @@ static int nat_amanda(struct pkt_buff *pkt, uint32_t ctinfo,
 			break;
 		}
 	}
 +	nfct_destroy(nat_tuple);
 	if (port == 0) {
 		pr_debug("all ports in use\n");
 diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
 index 27ab5eb..c3aa284 100644
 --- a/src/helpers/ftp.c
 +++ b/src/helpers/ftp.c
@@ -423,6 +423,7 @@ static unsigned int nf_nat_ftp(struct pkt_buff *pkt,
 			break;
 		}
 	}
 +	nfct_destroy(nat_tuple);
 	if (port == 0)
 		return NF_DROP;
 diff --git a/src/helpers/tftp.c b/src/helpers/tftp.c
 index 45591c6..70dd28a 100644
 --- a/src/helpers/tftp.c
 +++ b/src/helpers/tftp.c
@@ -65,6 +65,7 @@ static unsigned int nat_tftp(struct pkt_buff *pkt, uint32_t ctinfo,
 	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, MYCT_DIR_REPL);
 	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
 	nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
 +	nfct_destroy(nat_tuple);
 	return NF_ACCEPT;
 }
 -- 
 cgit v0.12
--- a/conntrack-tools-20150818.patch
+++ b/conntrack-tools-20150818.patch
--- a/conntrack-tools-coverity20150818.patch
+++ b/conntrack-tools-coverity20150818.patch
@ -1,217 +0,0 @@
 diff --git a/src/cache.c b/src/cache.c
 index 7c41e54..79a024f 100644
 --- a/src/cache.c
 +++ b/src/cache.c
@@ -34,7 +34,7 @@ struct cache_feature *cache_feature[CACHE_MAX_FEATURE] = {
 };
 struct cache *cache_create(const char *name, enum cache_type type,
 -			   unsigned int features, 
 +			   unsigned int features,
 			   struct cache_extra *extra,
 			   struct cache_ops *ops)
 {
@@ -53,7 +53,8 @@ struct cache *cache_create(const char *name, enum cache_type type,
 		return NULL;
 	memset(c, 0, sizeof(struct cache));
 -	strcpy(c->name, name);
 +	strncpy(c->name, name, CACHE_MAX_NAMELEN);
 +	c->name[CACHE_MAX_NAMELEN - 1] = '\0';
 	c->type = type;
 	for (i = 0; i < CACHE_MAX_FEATURE; i++) {
 diff --git a/src/cthelper.c b/src/cthelper.c
 index 6537515..54eb830 100644
 --- a/src/cthelper.c
 +++ b/src/cthelper.c
@@ -277,11 +277,11 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
 	if (!attr[NFQA_PAYLOAD]) {
 		dlog(LOG_ERR, "packet with no payload");
 -		goto err;
 +		goto err1;
 	}
 	if (!attr[NFQA_CT] || !attr[NFQA_CT_INFO]) {
 		dlog(LOG_ERR, "no CT attached to this packet");
 -		goto err;
 +		goto err1;
 	}
 	pkt = mnl_attr_get_payload(attr[NFQA_PAYLOAD]);
@@ -292,22 +292,22 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
 	queue_num = ntohs(nfg->res_id);
 	if (pkt_get(pkt, pktlen, ntohs(ph->hw_protocol), &protoff))
 -		goto err;
 +		goto err1;
 	ct = nfct_new();
 	if (ct == NULL)
 -		goto err;
 +		goto err1;
 	if (nfct_payload_parse(mnl_attr_get_payload(attr[NFQA_CT]),
 			       mnl_attr_get_payload_len(attr[NFQA_CT]),
 			       l3num, ct) < 0) {
 		dlog(LOG_ERR, "cannot convert message to CT");
 -		goto err;
 +		goto err2;
 	}
 	myct = calloc(1, sizeof(struct myct));
 	if (myct == NULL)
 -		goto err;
 +		goto err2;
 	myct->ct = ct;
 	ctinfo = ntohl(mnl_attr_get_u32(attr[NFQA_CT_INFO]));
@@ -315,15 +315,15 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
 	/* XXX: 256 bytes enough for possible NAT mangling in helpers? */
 	pktb = pktb_alloc(AF_INET, pkt, pktlen, 256);
 	if (pktb == NULL)
 -		goto err;
 +		goto err3;
 	/* Misconfiguration: if no helper found, accept the packet. */
 	helper = helper_run(pktb, protoff, myct, ctinfo, queue_num, &verdict);
 	if (!helper)
 -		goto err_pktb;
 +		goto err4;
 	if (pkt_verdict_issue(helper, myct, queue_num, id, verdict, pktb) < 0)
 -		goto err_pktb;
 +		goto err4;
 	nfct_destroy(ct);
 	if (myct->exp != NULL)
@@ -333,18 +333,19 @@ static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
 	free(myct);
 	return MNL_CB_OK;
 -err_pktb:
 +err4:
 	pktb_free(pktb);
 -err:
 +err3:
 +	free(myct);
 +err2:
 +	nfct_destroy(ct);
 +err1:
 	/* In case of error, we don't want to disrupt traffic. We accept all.
 	 * This is connection tracking after all. The policy is not to drop
 	 * packet unless we enter some inconsistent state.
 	 */
 	pkt_verdict_error(queue_num, id);
 -	if (ct != NULL)
 -		nfct_destroy(ct);
 -
 	return MNL_CB_OK;
 }
 diff --git a/src/local.c b/src/local.c
 index 453799a..3395b4c 100644
 --- a/src/local.c
 +++ b/src/local.c
@@ -77,7 +77,7 @@ int do_local_server_step(struct local_server *server, void *data,
 	int rfd;
 	struct sockaddr_un local;
 	socklen_t sin_size = sizeof(struct sockaddr_un);
 -	
 +
 	rfd = accept(server->fd, (struct sockaddr *) &local, &sin_size);
 	if (rfd == -1)
 		return -1;
@@ -147,11 +147,14 @@ int do_local_request(int request,
 	ret = send(fd, &request, sizeof(int), 0);
 	if (ret == -1)
 -		return -1;
 +		goto err1;
 	do_local_client_step(fd, step);
 	local_client_destroy(fd);
 -	
 +
 	return 0;
 +err1:
 +	local_client_destroy(fd);
 +	return -1;
 }
 diff --git a/src/parse.c b/src/parse.c
 index f3ec6ac..919d36c 100644
 --- a/src/parse.c
 +++ b/src/parse.c
@@ -297,7 +297,7 @@ int msg2ct(struct nf_conntrack *ct, struct nethdr *net, size_t remain)
 			return -1;
 		if (attr->nta_len < NTA_LENGTH(0))
 			return -1;
 -		if (attr->nta_attr > NTA_MAX)
 +		if (attr->nta_attr >= NTA_MAX)
 			return -1;
 		if (h[attr->nta_attr].size &&
 		    attr->nta_len != h[attr->nta_attr].size)
@@ -510,7 +510,7 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain)
 		ATTR_NETWORK2HOST(attr);
 		if (attr->nta_len > len)
 			goto err;
 -		if (attr->nta_attr > NTA_MAX)
 +		if (attr->nta_attr >= NTA_EXP_MAX)
 			goto err;
 		if (attr->nta_len < NTA_LENGTH(0))
 			goto err;
@@ -524,13 +524,15 @@ int msg2exp(struct nf_expect *exp, struct nethdr *net, size_t remain)
 			attr = NTA_NEXT(attr, len);
 			continue;
 		}
 -		switch(exp_h[attr->nta_attr].exp_attr) {
 +		switch (exp_h[attr->nta_attr].exp_attr) {
 		case ATTR_EXP_MASTER:
 			exp_h[attr->nta_attr].parse(master, attr->nta_attr,
 						    NTA_DATA(attr));
 +			break;
 		case ATTR_EXP_EXPECTED:
 			exp_h[attr->nta_attr].parse(expected, attr->nta_attr,
 						    NTA_DATA(attr));
 +			break;
 		case ATTR_EXP_MASK:
 			exp_h[attr->nta_attr].parse(mask, attr->nta_attr,
 						    NTA_DATA(attr));
 diff --git a/src/process.c b/src/process.c
 index 7f0a395..3ddad5f 100644
 --- a/src/process.c
 +++ b/src/process.c
@@ -48,6 +48,8 @@ int fork_process_new(int type, int flags, void (*cb)(void *data), void *data)
 	if (c->pid > 0)
 		list_add(&c->head, &process_list);
 +	else
 +		free(c);
 	return pid;
 }
 diff --git a/src/tcp.c b/src/tcp.c
 index af27c46..e570880 100644
 --- a/src/tcp.c
 +++ b/src/tcp.c
@@ -247,13 +247,11 @@ int tcp_accept(struct tcp_sock *m)
 	/* the other peer wants to connect ... */
 	ret = accept(m->fd, NULL, NULL);
 	if (ret == -1) {
 -		if (errno != EAGAIN) {
 -			/* unexpected error. Give us another try. */
 -			m->state = TCP_SERVER_ACCEPTING;
 -		} else {
 -			/* waiting for new connections. */
 -			m->state = TCP_SERVER_ACCEPTING;
 -		}
 +	/* unexpected error: Give us another try. Or we have hit
 +	 * -EAGAIN, in that case we remain in the accepting connections
 +	 * state.
 +	 */
 +	m->state = TCP_SERVER_ACCEPTING;
 	} else {
 		/* the peer finally got connected. */
 		if (fcntl(ret, F_SETFL, O_NONBLOCK) == -1) {
--- a/conntrack-tools.spec
+++ b/conntrack-tools.spec
@ -1,7 +1,7 @@
 %undefine _hardened_build
 Name:           conntrack-tools
-Version:        1.4.5
+Version:        1.4.6
-Release:        8%{?dist}
+Release:        1%{?dist}
 Summary:        Manipulate netfilter connection tracking table and run High Availability
 License:        GPLv2
 URL:            http://conntrack-tools.netfilter.org/
@ -86,6 +86,9 @@ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/
 %systemd_postun conntrackd.service 
 %changelog
 * Fri Dec 03 2021 Kevin Fenzi <kevin@scrye.com> - 1.4.6-1
 - Update to 1.4.6. Fixes rhbz#1574091
 * Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.5-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (conntrack-tools-1.4.5.tar.bz2) = 480fe2cc4420bc8477a2ba67b3d052bcb39c6b3ec000cff27fc12db70b42ec94fa3b5fe12ee35d439e88d9a631a33cd12ae470b69dde6d371d4e53af62a2eed1
+SHA512 (conntrack-tools-1.4.6.tar.bz2) = a48260308a12b11b584fcf4658ec2c4c1adb2801c9cf9a73fc259e5c30d2fbe401aca21e931972413f03e415f98fbf9bd678d2126faa6c6d5748e8a652e58f1a
`@ -1 +1 @@`
	`SHA512 (conntrack-tools-1.4.5.tar.bz2) = 480fe2cc4420bc8477a2ba67b3d052bcb39c6b3ec000cff27fc12db70b42ec94fa3b5fe12ee35d439e88d9a631a33cd12ae470b69dde6d371d4e53af62a2eed1`	`SHA512 (conntrack-tools-1.4.6.tar.bz2) = a48260308a12b11b584fcf4658ec2c4c1adb2801c9cf9a73fc259e5c30d2fbe401aca21e931972413f03e415f98fbf9bd678d2126faa6c6d5748e8a652e58f1a`